Feature #408

Filestore / file.NUMBER renaming script inclusion with Suricata distribution

Added by Peter Manev about 2 years ago. Updated almost 2 years ago.

Status:ClosedStart date:01/29/2012
Priority:LowDue date:
Assignee:Peter Manev% Done:

0%

Category:-
Target version:-

Description

Hi,
I have attached a version 1.0 of a script, that I would like to be included/considered in the main Suricata distribution.
It makes use of the files stored in /var/log/suricata/files (depending on the files.rules used in the new file magic feature starting with Suricata 1.2.1).

Basically it is a small script that does the following:

Please choose the options according to which you would like your files to be renamed.
They will be RENAMED (in the same directory) in this order below,depending on your selection, in the following fashion:
file.1 will become "file.1__TIME__SRCIP__DSTIP__PROTO__SRCPORT__DSTPORT__FILENAME" :
Notice the use of "__" (double _ )for a field delimiter in the filename.
This script is to be EXECUTED in the "files" directory !! Your choice:

1 ) TIME
2 ) SRC_IP
3 ) DST_IP
4 ) PROTO
5 ) SRC_PORT
6 ) DST_PORT
7 ) FILENAME
Check an option (again to uncheck, ENTER when done):

and it will do the following (for example), FROM:

file.1
file.1.meta
file.2
file.2.meta
file.3
file.3.meta
file.4
file.4.meta
file.5
file.5.meta
file.6
file.6.meta
file.7
file.7.meta
file.8
file.8.meta

TO:

file.1__01-22-2012-19-53-33.504334__2.23.151.148__192.168.1.71__6__80__19652__3500148-en.pdf
file.1.meta
file.2__01-22-2012-19-53-58.799650__2.22.240.118__192.168.1.71__6__80__19658__OAC-TD-AG47W.pdf
file.2.meta
file.3__01-22-2012-20-25-07.916142__84.53.168.170__192.168.1.71__6__80__21531__prod_brochure0900aecd8019dc1f.pdf
file.3.meta
file.4__01-22-2012-20-45-06.210079__84.53.168.170__192.168.1.71__6__80__22034__prod_brochure0900aecd8019dc1f.pdf
file.4.meta
file.5__01-22-2012-20-45-25.614460__173.203.15.67__192.168.1.71__6__80__22040__corporate_timeline.pdf
file.5.meta
file.6__01-22-2012-20-45-27.446917__173.203.15.67__192.168.1.71__6__80__22041__corporate_timeline.pdf
file.6.meta
file.7__01-22-2012-20-45-27.446917__173.203.15.67__192.168.1.71__6__80__22041__favicon.ico
file.7.meta
file.8__01-22-2012-20-45-28.110054__173.203.15.67__192.168.1.71__6__80__22043__corporate_timeline.pdf
file.8.meta

for an easier visibility, traceability, control purposes.

Please feel free to criticize and make suggestions.

Thank you

file_convert_linux_v_1.0.sh Magnifier (2.9 KB) Peter Manev, 01/29/2012 06:52 AM

History

#1 Updated by Victor Julien about 2 years ago

The filename in the .meta file can contain special and non printable characters. This was the reason for not using the name in the filename Suricata writes. How does this script deal with that?

#2 Updated by Peter Manev about 2 years ago

the script uses
1) TIME 2) SRC_IP 3 ) DST_IP 4 ) PROTO 5 ) SRC_PORT 6 ) DST_PORT 7 ) FILENAME

the only fields that can/do contain unprintable characters (unallowed for a file name) are:
1) TIME (date,time ) - 01/22/2012-19:53:33.504334 - ("/" and ":" )and here this is converted to
01-22-2012-19-53-33.504334
7) FILENAME (in file.meta) - could be /www/info/books%/library%branch/somename_othername_company.pdf
but the script only takes the "real" filename - "somename_othername_company.pdf" - which itself would never contain unallowed characters.

thanks

#3 Updated by Victor Julien about 2 years ago

The filename can come from an attacker. Suricata writes the filename to the .meta file, only converting the unprintable bytes like 0x00 to \x00. Can the script deal with that?

#4 Updated by Peter Manev about 2 years ago

The script currently checks for the "/", ":", "%" in a filename (just the filename) and if they do exist they get replaced by "_".
I can further enhance the checks
or
I can , instead of any unallowed character for a filename , if found , I can make the script print, "WARNING_unallowed_charcters_in_the_filename_.pdf", for example?

does this sound ok?

thanks

#5 Updated by Victor Julien almost 2 years ago

  • Status changed from New to Assigned
  • Assignee set to Peter Manev
  • Priority changed from Normal to Low

I'd prefer a reversed approach. Define a set of chars that are allowed, like A-z0-9_- etc and convert the rest to _.

#6 Updated by Peter Manev almost 2 years ago

Actually, with the introduction of our JSON output, this script wouldn't make sense.

#7 Updated by Victor Julien almost 2 years ago

  • Status changed from Assigned to Closed

Agreed. Closing.

Also available in: Atom PDF